New service offers major advance in data encryption and protection, even when in use.

The feature, called ‘Confidential Compute’ will make sure the data is being encrypted even when it’s being computed on in-memory. So far, it’s been encrypted while stored or while in transit on a network.

Microsoft says this feature will make sure data stays away from prying eyes, including hackers, government warrants or even Microsoft itself.

There will be two modes to the feature – one built on virtual machines, and the other using Software Guard Extensions (SGX). Both allow apps to enclose parts of their data and code to make sure they work in a “trusted execution environment”, or TEE. Everything inside TEE can’t be seen from the outside.

The mode using virtual machines uses Virtual Secure Mode (VSM) functionality. Even in case of an attack, and even if the hacker gains access to the main VM, the data inside the VSM TEE will still remain out of reach.

“Data breaches are virtually daily news events, with attackers gaining access to personally identifiable information (PII), financial data, and corporate intellectual property. While many breaches are the result of poorly configured access control, most can be traced to data that is accessed while in use, either through administrative accounts, or by leveraging compromised keys to access encrypted data,” Microsoft said in a blog post.

“Despite advanced cybersecurity controls and mitigations, some customers are reluctant to move their most sensitive data to the cloud for fear of attacks against their data when it is in-use. With confidential computing, they can move the data to Azure knowing that it is safe not only at rest, but also in use.”